Secure and Reliable Billing Software

A winning combination of enterprise-grade security to protect your customers and proven reliability to keep your recurring billing running smoothly.

PCI DSS Level 1 Compliant

Chargify is annually audited to maintain the highest level of PCI compliance for a service handling sensitive payment data. With billing information flowing through Chargify, you can comply with industry-standard security practices without the time and resources required to maintain such standings. Our number one goal is to protect you and your customers.

Download Chargify’s compliance validation

SOC 1 Type I Report

Service Organization Controls (SOC) exist to validate a company’s controls and ensure industry standards are followed. Our SOC 1 report was prepared in accordance with the Statement on Standards for Attestation Engagements No. 16 (a.k.a SSAE 16) and documents operational policies and procedures for Chargify’s system of internal controls.

Two-Factor Authentication

As a security best practice, we require secure passwords for all Chargify users. As an additional layer of protection, we provide the ability to enable two-factor authentication. When enabled, internal team members must enter an authentication token from their mobile device prior to gaining access to the Chargify interface.

Fine-Grained User Access Controls

Your teams play important roles in running your subscription business, but not every team member needs full access to Chargify’s interface. Customer support needs to access and manage subscription information, finance needs to view and export financial metrics, etc. Our access controls allow you define what users can see and do within your Chargify account.

Reliability You Can Count On

Your browser does not support SVGs

Data Redundancy

Our software runs in three datacenters across the US. On a daily basis, we export the database and store it in an offsite facility for extra redundancy.

Your browser does not support SVGs

24/7 Monitoring

Extensive performance and availability monitoring allows us to keep a close eye on system health and mitigate unforeseen issues early on.

Your browser does not support SVGs

99.99% Uptime

Uptime is as mission critical to us as it is to your business. Our trailing three-year uptime record is 99.99%, and we’re fanatical about maintaining that record.View our uptime report.

Your browser does not support SVGs

Hacker Tested

We regularly submit ourselves to hacking by the best "good-guy" hackers in the business. This practice ensures we remain the most reliable, secure system in the industry.

PGP Key

By default, we provide a PGP key to encrypt sensitive communication that you send to us.

        
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFv+9yoBEADNtJWF+QHJuWLIENYiA2QZIxvVhFk877xrkH1MkFUh1n4aJXuj
/AdCoJIUut907rdvYYbCp3ouvFkzszyudHwKI5lfbsDvZXV0yLlt7trA3yaVdSB0
NqXXqwfuvtJ2lt+7+Dzpnqe4jdiB7mSFLOXn/3gJ1wIZREUQlyi7ID9RwpyJd8fG
YDIjDMBBbSwC245syfmOgrR8dN0j9rBBodCoCrWvEJHFRwdqduVaFbrAQh8TVTDe
2s/0V6n2STEWJrvu5uTUo5qwb1cd1Ll25/P20sP57L1T8SrbaZ4i3LayfJR7H0K5
4XcuXcSqdhlRyti7gwR33I3YJuPruZsN1VO/8u7QgSO7IuNVI8o+94YuHQmQw2mb
8S5ug0BOkUkRca5CdtW5MFo84Ep8EAPhrS8/1OZnG0MWXiXp/BwX1UAiUyRkah3B
Uw75laGJa4cOrJbTsNMV7i2TRxVg5GDp2XUEonwKtY1ird7f3Mi1cTKCttJazApI
s0nf4VlMuoJcq5PdzUETJSR15VXPc0e60/43EdQ04fQryCWs3gNah5h6PPdVNe/C
WCy1nXRe89OEPfKHfg3ACEZDHfENMvR+FjimGsNKu6wquHIDNkWTCet83EbHmBnS
rC9B8qkAupk9HBYpZDkefBs3xm0zwW4wCMpS/lbt/y/I7FWljMIWFjhSpwARAQAB
tClDaGFyZ2lmeSBTZWN1cml0eSA8c2VjdXJpdHlAY2hhcmdpZnkuY29tPokCVAQT
AQgAPhYhBHIwo8w4s+zSI6v8tPn0m6Hu9ohOBQJb/vcqAhsDBQkB4TOABQsJCAcC
BhUKCQgLAgQWAgMBAh4BAheAAAoJEPn0m6Hu9ohOgpcP/3H9ZHRrPazk7u6QrS/F
BOdQb7Xeinw48vN4AvbMc9+6ZmVwgpNZAnmNDOp281Cy3HmSJHur+u6qOFLE7zzU
ukmkU1xRr0VZDn/zC/POGEceUI1wUylsjRIu0gA7kJ7vifC2k8y1t9EATM/8z3hI
md5ymIjdUSO90IuyChiJMDtOBivTaqtnDU8Y+X8MtgsHFuJLN98mIZD9goqpXmZT
9mb/OYsPlU5SOaDQRLGJhL2UG3QKeH66W1ogZbI/rxZ7tlLXV3F5HBmntB8KMVmW
ecaBFwSVs5/lGeGGQE6VrWqBuhptbYuLgP6lu3gZz55V75z6cubrUVwgHoUYQzA6
/gPS8Ja6hN4dwEGvoCh/T5Jer7Rh8rZqNXURVUqa+GTpLKlGdEDBtOxGr38EJgCu
vImoRJ3AUzJTYYUBMghyjn9rYtNFpBy9mXK3oKKM+KsF2SRyRpqlVevsN/XtsV9/
cJGclISPaI2KTXDY5YPXXWXOLTSrT/FLHjYm4jK4SHiM65GdsJOAPbWiuOwOTtZJ
tYd4GjxNdNYWa7DThu+2tLUydk5zNWTgcULkx24yokKBHw9Mb0J1fvUK2TEY9Hlc
YOPUj0hIfu4N4Yx7mkOaSkfzZQqPCQful1dosawE9AOMbCyviUnMTCQFSYhCQ85M
ByXXfdkC5JYhCm7PWDeL3R0vuQINBFv+9yoBEADsFAXRJUoJq2Z8FhntNZZPajhj
qprN19deCftRhopP6adABVxBbFHYtLx1aWqG7lNN1HoJnNWN8740uNcWOhZWE7Lm
XNyFuTNnLK2MAOjACi+uu7Cqf/7pkWhdRDzQCNp4m9IfYnxe6A76zQfnSI/vCXoZ
x3IesqfraKp9IPF9M6wTBy4E/nGHmDICbyljhWJs8HEjlbSTmsBR4QWtpPc1oJIM
fa5F9N05CrVfOQZCyiAcqTV/Cy+pYdQNoWvTdGJmoG86zWijmQuoHEbSUMbvh5Vi
2nrDGSBX9meXEqrj/DkLHPF0F0boaeTCw+baEGDyUdV/3LYTMlWtXwtzZQNq/9+w
a7tZJJlt904sPw1W59Wyi+ihDUl8jo1kB7/ZKncqcbpKA6WZYCkJXAvybMLu49C/
jCS9KdNN6ImWGi4jJwAP1Tsjykr1xDwOCZibWY3ns7xyQlr+uVTC3nbktgooDyQk
DaszqC6irO4OOfkkotrFzn3NvZGdbKRVmc/WRcnnlIRCgVF3Y7PoSJnLCD8+D7Bs
ertT2X2Yw+u//nfZ11lQ2ZhkP+ZGQGb5AGOJg9IoRcha/5NjG4GzoItfLUImBZpz
ieHGtuo85O42sbfGWEoh4nmACiavAjdpV+EqPJBit+glMOhYgmtECI2EOG15KQfE
KcFh53j9CsDIvlvDRQARAQABiQI8BBgBCAAmFiEEcjCjzDiz7NIjq/y0+fSboe72
iE4FAlv+9yoCGwwFCQHhM4AACgkQ+fSboe72iE6HsxAAysikpB+F0WtkC60rV7wg
ZQZC9yTBHWTzNlJFOzJRqc7dWx+oNBC+cZ8cp1agQD5xtVep2p6L25+PZBK+CxIA
rZ3COyDGyOlv8aj3juFzgXvtN4YhRGKa5FL9pa7Ynt0heSAjnHorHg/wb7LLWzE6
H/9i6xyeQ8ZyVhay7j8k/tYMLg0nAjXxNKyhwy3EQ8G3ouWWNNfBqyQwyrwgxAMY
nWM7hObajIB6E60QDlHRpXH3EXrFb/EQIiBApMpsNd3guGmL+vfTgKVTztOA3o+g
KiO3PSziFqDA/ZhwIpo6prGCj0ocPaY9vhnvw+htLs4vcIPYLblNWGdjgdJAa5eO
oX2S46+dkWq1u3NnIcV+Bn+j7+UJOC8VHPC1c/h5krCyPXJxgHwMIaZs4J0XH55g
c+fP03dQewSgkyfgLWEk+3GDfsMivkRFjwLJscYp6HDcZ3ek6kTBk4UbqsnACkea
He9vpXvihrNPqLYROsp6mMsLWsmj3hBcD5ZrgQVikyLuCi/vI1eEOVoDEP/KiD2f
Z/UgbJJaTdQq09g+OhtaM4Iz549ItLUeMzUCqFDnlsyzMChOya1JsnHl8CstgzZd
YAegO38vKBk8lWlTAzGuuoNizkLdNityGz4LpIeF7FcjdtDaMjif/NSV12LSEUwt
rSJpn+Pc8LUqocy23oSBxcs=
=OD5G
-----END PGP PUBLIC KEY BLOCK-----
      
    
Key ID:
EEF6884E
Key type:
RSA
Key size:
4096
User ID:
Chargify Security (security@chargify.com)
Fingerprint:
7230 A3CC 38B3 ECD2 23AB FCB4 F9F4 9BA1 EEF6 884E
Expires:
2019-11-28

Help Us Keep Chargify Secure

We take our security very seriously and welcome any responsible disclosure of potential gaps in our systems.

If you believe you have discovered a potential flaw in any area of Chargify's security measures, we ask that you please share the information with us first and retain secrecy of your findings until we have remediated the issue.

If you have identified a vulnerability, report it via email to security@chargify.com

We ask that you follow these rules for any responsible use of our system:

  • You may create a test account with the following limits: TWO accounts each with no more than TWO sites and TWO users.
  • Not in scope: Any ancillary sites not directly hosted by Chargify (such as reference.chargify.com, status.chargify.com, help.chargify.com. Zendesk, Tumblr, etc)
  • All data object creation is limited to a maximum of 50 objects per type
  • No automated off-the-shelf scanners (like Acunetix or the Burp Suite Scanner). We’ve had these run hundreds of times already
  • Scripted / API tests must be rate limited to 1 request per second
  • Absolutely NO attacks or exploits against accounts not created by you. You may only attempt cross-account access between two accounts controlled by YOU
  • No DOS/DDOS tests
  • Absolutely no physical testing such as office access (e.g. open doors, tailgaiting).
  • Absolutely no social engineering (e.g. phishing, vishing).

We ask that you please do not submit low value issues when there are only loose connections to known best practices, unless you can demonstrate a chained attack with higher impact. Google maintains an exhaustive list with explanations. This also includes things like:

  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of Secure and HTTPOnly cookie flags.
  • Lack of Security Speedbump when leaving the site.
  • Weak Captcha / Captcha Bypass
  • Username enumeration via Login Page error message
  • Username enumeration via Forgot Password error message
  • Login or Forgot Password page brute force and account lockout not enforced.
  • OPTIONS / TRACE HTTP method enabled
  • SSL Attacks such as BEAST, BREACH, Renegotiation attack
  • SSL Forward secrecy not enabled
  • SSL Insecure cipher suites
  • The Anti-MIME-Sniffing header X-Content-Type-Options
  • Missing HTTP security headers